mod_auth_openidc Protected Content Disclosure Vulnerability

A vulnerability in mod_auth_openidc, an OpenID Certified authentication and authorization module for Apache 2.x, prior to version 2.4.16.11, allows for the disclosure of protected content to unauthenticated users. This issue arises when the OIDCProviderAuthRequestMethod is set to POST, a valid account is used, and there is no application-level gateway or load balancer protecting the server. Under these conditions, requesting a protected resource results in the response containing the HTTP status, headers, the intended response (a self-submitting form), and the protected resource itself, without any headers. The content leakage occurs because the oidc_content_handler, which could intercept and prevent the output of protected content, does not check for this specific case, leading to the unauthorized data being included in the response.

Impact

Exploitation of this vulnerability results in unauthorized access to protected content, which is disclosed to users without authentication.

Reproduction

To reproduce this vulnerability, configure the server to use mod_auth_openidc with the OIDCProviderAuthRequestMethod set to POST and the 'Require valid-user' directive. Ensure that there is no application-level gateway or load balancer in place. Once these conditions are met, request a protected resource. The response will include the protected content, demonstrating the unauthorized disclosure.

Remediation

Users should upgrade to mod_auth_openidc version 2.4.16.11 or later. For Debian 11 (bullseye) users, the updated version is 2.4.9.4-0+deb11u5.